I've built a tiny program that helps Identify orders in Demandware that have incorrect status, e.g: (status: new, open, completed and shipping-status: not-shipped, shipped).

I basically just use order_search from OCAPI and compare the results with our ERP.

However now I want to automate some of the fixing of status, which would require me to use the /orders/{order_no} GET and PATCH calls, however when I do so, I get the following message:

{ type: 'AccessWithoutUserForbiddenException',
 message: 'An authenticated user is required in order to access resource.' }

According to the docs OAUTH for order_search uses: "Authentication via OAuth token.", however orders/{order_no} uses: "Authentication via OAuth token. A valid user is required."

So what would be the right strategy for becoming a valid user?

a valid user for getting oAuth tokens is a Business Manager user. So please login to Business Manager and create a new user for your use cases and grant the necessary permissions.

After that you are able to execute the particular resources.

Christian

If you are using account.demandware.com as the host then it will throw below error

{ error: 'unauthorized_client', error_description: 'Client id \'xxxxxxxxxxxxxxxxxxx\' has invalid credentials to use grant type \'urn:demandware:params:oauth:grant-type:client-id:dwsid:dwsecuretoken\'.' }

Instead you can change the host to your sandbox host. And try once again. It should work. I was also facing the same issue.

const key = new Buffer('business_manager_email_id' + ":" + 'business_manager_pwd' + ":" + 'client_pwd').toString("base64");
const options = {
    url: 'https://<sandbox_host>/dw/oauth2/access_token?client_id=your_client_id',
    method: "POST",
    headers: {
      'Authorization': "Basic " + key,
      "Content-Type": "application/x-www-form-urlencoded",
    },
    body: "grant_type=urn:demandware:params:oauth:grant-type:client-id:dwsid:dwsecuretoken"
  };